Stay Compliant: Update Your Vendor Contracts Before 2023 – Privacy Protection

To print this article, all you need is to be registered or login on

Starting in December 2022, a series of significant laws (domestic and international) are due to come into effect which will impact new AND existing vendor contracts. Vendor contracts are agreements between two parties (a vendor and a business/individual) that detail the goods and/or services that will be provided in exchange for compensation. The applicability of the pending updates will depend on certain criteria relating to the contracting parties, such parties’ respective jurisdictions, and the contract terms themselves.

International Privacy Laws (December 27, 2022)

On June 4, 2021, the European Commission issued updated Standard Contractual Clauses (“SCCs”). The SCCs are preapproved contract clauses that seek to ensure compliance with the General Data Protection Regulation (“GDPR”) by establishing appropriate data protection safeguards. As a result, prior to the December 27, 2022 deadline, service contracts between controllers and processors that involve data transfers from the European Union (“EU”) to third countries (such as the United States) must be either drafted to include or, if already in existence, amended to include, the new SCCs.

Please note that these changes do not apply to vendor contracts that involve international data transfers with the United Kingdom (“UK”). The UK adopted the SCCs while a member of the EU, but left the EU prior to the issuance of the updated SCCs. The UK still follows the older SCC versions and, therefore, contracts must include both SCC versions if data will be transferred from the EU and the UK to the United States (or other third party countries).

Domestic Privacy Laws (January 1, 2023)

On January 1, 2023, the California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“CDP”) will become effective. On July 1, 2023, California will begin to enforce the CPRA, and the Colorado Privacy Act (“CPA”) will also go into effect. In addition, on December 31, 2023, the Utah Consumer Privacy Act (“UCPA”) will become effective.

Overall, these privacy laws are very similar. For example, under all four acts, consumers have the right to opt-out of the sale and sharing (ie, targeted advertisements) of their personal information (“PI”). However, the acts differ in key ways including, but not limited to, the following: 1) the CPRA gives consumers the right to limit the use and disclosure of sensitive PI; 2) the CDP only permits consumers to request access to their PI free of charge twice per year; 3) the CPA requires a universal opt-out for both sales and sharing; and 4) the UCPA does not allow consumers to correctly collect PI.

Subscription/Automatic Renewal Law Updates (January 1, 2023)

Commencing January 1, 2023, businesses that serve Idaho consumers will need to update their contracts if such contracts are automatically renewed. Automatic renewal or “subscription” contracts are arrangements whereby subscription agreements are automatically renewed for a specific price at the end of a definite term on a reoccurring basis unless the consumer cancels the agreement (eg, book of the month clubs). Pursuant to Idaho’s new law, such contracts must include clear and conspicuous disclosures about the automatic renewal offer terms and cancellation methods. While Idaho is the most recent to enact a subscription law, the Federal Trade Commission, California, and Colorado have also updated their automatic renewal rules and laws over the past year.

As businesses prepare their vendor contracts to be compliant with international privacy laws (December 27, 2022) and domestic privacy laws (January 1, 2023), they should also take the opportunity to ensure that their contracts are compliant with the forthcoming CPA and UCPA, and other relevant laws. Combining efforts in this way should result in significant time and cost savings.

Similar Blog Posts:

Connecticut Privacy Law Advances to House

California Data Broker Registration Requirements

Privacy Policies for Websites and Mobile Applications

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States


Leave a Comment

Your email address will not be published.